the art of avoiding authentication: how criminals are hacking apple pay from rsa conference 2016
TRANSCRIPT
2016 Pindrop™. Confidential.
THE ART OF AVOIDING AUTHENTICATION
RSA Conference 2016
HOW CRIMINALS ARE HACKING APPLE PAY
2016 Pindrop™. Confidential.2016 Pindrop™. Confidential.
REOPENING A CAN OF WORMS
2016 Pindrop™. Confidential.
APPLE PAY TOPOLOGY
2016 Pindrop™. Confidential.
ENROLLMENT FLOW
2016 Pindrop™. Confidential.2016 Pindrop™. Confidential.
ENROLLMENT FLOW
2016 Pindrop™. Confidential.
EXPERIMENTAL PROCEDURE
• Generate a test Apple ID• Set profile name to one different than the cardholder
• April, 2015• Enroll four cards from four separate providers• Try changing the Apple ID to match the cardholder name
• September, 2015• Re-enroll same cards• Try changing the Apple ID to match the cardholder name
• In each case, document enrollment procedure• Note security issues• Note differences in enrollment flow
2016 Pindrop™. Confidential.
WHY RE-RUN TESTS?
2016 Pindrop™. Confidential.
RESULTS – ISSUER #1
• April, 2015• Add new card• Enter number, expiration, CVV, and
name• Card is verified• Prompted for second-level verification
• Issuer’s App• Call Issuer – answer KBA’s
• CSR stated the card would be associated with a mismatched Apple ID, and asked if that is OK
• Re-enroll with matching Apple ID• Add new card• Enter number, expiration, CVV, and
name• Card is verified• NOT PROMPTED FOR
CARDHOLDER VERIFICATION
2016 Pindrop™. Confidential.
RESULTS – ISSUER #1 CONT’D
• September, 2015• Add new card• Enter number, expiration, CVV,
and name• Card is verified• Prompted for second-level
verification• Issuer’s App• Call Issuer – answer KBA’s
• Re-enroll with matching Apple ID• Add new card• Enter number, expiration, CVV,
and name• Prompted for second-level
verification• Issuer’s App• Call Issuer – answer KBA’s
2016 Pindrop™. Confidential.
RESULTS – ISSUER #2
• April, 2015• Add new card• Enter number, expiration,
CVV, and name• Card is verified• Prompted for second-level
verification• Text to number on file• Email to address on file• Call Issuer – answer KBA’s
• September, 2015• Add new card• Enter number, expiration,
CVV, and name• Card is verified• Prompted for second-level
verification• Text to number on file• Email to address on file• Call Issuer – answer KBA’s
2016 Pindrop™. Confidential.
RESULTS – ISSUER #3
• April, 2015• Add new card• Enter number, expiration, CVV, and name• Card is verified• NOT PROMPTED FOR CARDHOLDER
VERIFICATION
• September, 2015• Add new card• Immediately errors out – asks user
to call issuer• Called issuer
• Call immediately answered by “account protection” department
• Issuer stated they were having problems with Apple Pay, and now require everyone to call
• Emailed me an authentication token
2016 Pindrop™. Confidential.
RESULTS – ISSUER #4
• April, 2015• Add new card• Enter number, expiration, CVV,
and name• Card is verified• Prompted for second-level
verification• Call Issuer – answer KBA’s
• September, 2015
• Add new card• Enter number, expiration, CVV,
and name• Card is verified• Prompted for second-level
verification• Call Issuer – answer KBA’s• Authenticate through app
• Never could get it to work
2016 Pindrop™. Confidential.2016 Pindrop™. Confidential.
RESULTS SUMMARY
Issuer Require Cardholder Verification
Authenticate via App
Authenticate via On-file Info
Authenticate via Phone Strong KBA
Authenticate via Apple ID
Issuer #1Issuer #4Issuer #3 N/A N/AIssuer #2
Issuer Require Cardholder Verification
Authenticate via App
Authenticate via On-file Info
Authenticate via Phone Strong KBA
Authenticate via Apple ID
Issuer #1Issuer #4Issuer #3Issuer #2
April, 2015
September, 2015
2016 Pindrop™. Confidential.
KEY TAKEAWAYS
• Trusting name associated with Apple ID• Leveraging the trust associated with an Apple ID• Social engineering is still easy